ddos / no connection tracking / tarpitting

Taylor Grant gtaylor at riverviewtech.net
Fri Apr 22 08:52:09 CEST 2005


> You *must* use the rule
> 
> iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK
> 
> as well, otherwise conntrack will pick up the reply packets from the
> TARPIT target.

Very good point.



More information about the netfilter mailing list